Still infected, 300,000 PCs to lose Internet access July 9

If you haven’t already seen the screaming headlines across the blogosphere declaring the arrival of Internet Armageddon for a quarter-million PCs because of a virus, allow us to get you up to speed. Believe it or not, some of the 4 million computers hijacked by Estonian and Russian hackers through a long-running botnet called DNSChanger are still not patched, over eight months after the FBI and Estonian authorities broke up the ring in November of 2011.

The botnet took control of PCs, changing their DNS settings to connect to rogue DNS servers, which allowed the ring to reroute a user’s click on Web advertisements to alternative sites and replace Web ads with those of companies that paid the ring for clicks. When the FBI shut down the rogue DNS servers at the center of the ring, the US District Court for the Southern District of New York appointed Internet Systems Consortium, a not-for-profit company, to keep running replacement DNS servers so affected users would not lose Internet access before they could remove the botnet and fix their DNS settings. The FBI also posted tools to help PC owners check to see if their system was affected by the botnet. (If you haven’t checked yours, go there now.)

On Monday, July 9, the court order runs out, and ISC will pull the plug on the DNS servers. But by some estimates, as many as 300,000 computers are still using the DNS servers to resolve their Internet searches. Those systems will lose the ability to resolve domain names for websites and e-mail when the server is disconnected.

Honestly, at this point, they deserve it. From what I've read in other articles, they've been contacted by ISPs, Google has elected to spread the message to those that are infected, as well as several other methods of communication.

If they're still unaware, maybe this will finally be a good wake-up call for them.

These are likely the growing minority of computer users who simply do not patch their boxen, barely check their email, and who have almost no connection to the technical side of computing at all. Hardly seems fair to indict them for it, but let's be honest. If this was your car, and you never changed your oil, checked your fluids, or maintained your tires, and never even took the car into a mechanic to even check every few months, would you expect the car to still be running?

Curiously, some people expect their computers to as they cruise the information superhighway. Granted, no one is trying to assault your car on the freeway...

I forsee an impending spike in calls to local computer repair shops, ISPs, and friends "who are good at computers." As if people whose boxes are still using the DNS servers in question know about this, let alone what it means when you can ping 4.2.2.1 or 8.8.8.8 but can't resolve websites.

They actually won't lose their internet access. It's only their DNS that will stop working.

Agreed. Editors: I think the Ars audience is plenty technical enough that it's OK to actually use accurate headlines for something like this. "Still infected, 300,000 PCs to be cut off from DNS July 9" or similar would be fine.

That said, as a practical matter DNS is pretty critical, and for most people, particularly anyone who can't manage to patch a system, losing it will be equivalent to losing functional net access.

KnightSword wrote:

Hardly seems fair to indict them for it,

Of course it's fair, as you said and beyond. The fact of the matter is that they constitute a public nuisance, simple as that. When a system is an active bot, it's causing a certain amount of trouble for others, and in a case like this where it's still a bot but no longer under C&C, it's still costing someone else money/trouble (in the form of maintaining the DNS service) that is not getting covered. Rather then your examples of changing oil and the like, it seems more accurate to compare it to not bothering to fix a broken muffler, catalytic converter or engine that is still running but is now burning some oil too. In all those cases one may be able to continue to operate the car just fine indefinitely, but it'll be a bother to everyone else on the road, and to society in general.

Even that is a bit of a stretch though (hence the danger of analogies), really no analogy is needed. None of these systems is having any change forced upon them, rather someone else is merely turning off their own, voluntary service, same as if some website decided to shutter their virtual doors. Nothing wrong with that.

If ISC controls the DNS server, why don't they simply redirect users to a landing page explaining their computers have been compromised? Right now, before the plug is pulled? No more internet, but at least there would be an explanation for those unaware of what's going on.

It seems unecessary to cut off the replacement DNS servers altogether. Once people lose DNS, they will no longer be able to find instructions for fixing this issue online. Why not leave the servers up, but redirect them to pages describing the infection and how to fix it?

They actually won't lose their internet access. It's only their DNS that will stop working.

A lot of computer users won't recognize the distinction.

True, but it's important to note that the internet connection is not the problem, the problem is a misconfigured PC.

TomPollard wrote:

It seems unecessary to cut off the replacement DNS servers altogether. Once people lose DNS, they will no longer be able to find instructions for fixing this issue online. Why not leave the servers up, but redirect them to pages describing the infection and how to fix it?

Because that costs money

otri wrote:

If ISC controls the DNS server, why don't they simply redirect users to a landing page explaining their computers have been compromised? Right now, before the plug is pulled? No more internet, but at least there would be an explanation for those unaware of what's going on.

The federal government is extremely wary about redirecting people's internet connections without a warrant.

It seems unecessary to cut off the replacement DNS servers altogether. Once people lose DNS, they will no longer be able to find instructions for fixing this issue online. Why not leave the servers up, but redirect them to pages describing the infection and how to fix it?

Training unsophisticated users to obey instructions that they see on a random website, telling them to alter their system settings - just like those "Your computer may be infected! Click here to install RogueAntivirus2012!!!"...

Malware writers who use social engineering to get people to install their malware would rejoice at the idea.

It seems unecessary to cut off the replacement DNS servers altogether. Once people lose DNS, they will no longer be able to find instructions for fixing this issue online. Why not leave the servers up, but redirect them to pages describing the infection and how to fix it?

Why should tax payers be footing the bill to keep up DNS for a small subset of users that don't bother to maintain their systems (this is hardly breaking news, and Microsoft has patched this long ago - at least the variant this article describes)? Something that also affects the rest of us when their PC's are used as bots to distribute spam and malware.

Meanwhile, my old 1984 RCA television still won't pick up any stations anymore, and boy am I pissed!

And why do all the dates on my computer say July 7, 1912?!? Why doesn't technology work any more?

How is this relevant? The age of the systems here doesn't have any bearing on the issue.

Perhaps I was being too oblique. They were both cases where people had plenty of warning that a big non-reversible change was coming, so they'd better pay attention. (And in the case of the analog television cut-off in the US, the deadline kept getting pushed out again and again because a lot of people didn't pay attention.)

They actually won't lose their internet access. It's only their DNS that will stop working.

Agreed. Editors: I think the Ars audience is plenty technical enough that it's OK to actually use accurate headlines for something like this. "Still infected, 300,000 PCs to be cut off from DNS July 9" or similar would be fine.

That said, as a practical matter DNS is pretty critical, and for most people, particularly anyone who can't manage to patch a system, losing it will be equivalent to losing functional net access.

Point taken. However, it essentially has the effect of cutting off their access to Internet services (while still allowing other malware to continue to use them as a platform for DDoS attacks, etc.).

Edit: I should add, my original headline for this story was "300,000 Dumbass computer users to be cut off from Web July 9", but I thought that might be too trollish.

They actually won't lose their internet access. It's only their DNS that will stop working.

Agreed. Editors: I think the Ars audience is plenty technical enough that it's OK to actually use accurate headlines for something like this. "Still infected, 300,000 PCs to be cut off from DNS July 9" or similar would be fine.

That said, as a practical matter DNS is pretty critical, and for most people, particularly anyone who can't manage to patch a system, losing it will be equivalent to losing functional net access.

Point taken. However, it essentially has the effect of cutting off their access to Internet services (while still allowing other malware to continue to use them as a platform for DDoS attacks, etc.).

Edit: I should add, my original headline for this story was "300,000 Dumbass computer users to be cut off from Web July 9", but I thought that might be too trollish.

Likelihood is that once they can't get o their favorite webpage or check their e-mail, they'll be calling the repair shop/customer service/friend to fix their system. Then they'll finally get their damned PC's cleaned. Maybe they'll even re-image from their vendor's included restoration CD/DVD. Also cleaning their system.

They actually won't lose their internet access. It's only their DNS that will stop working.

Ummm ... many of these people haven't patched their PC's yet because they're the least technologically savvy users on the internet, and you're think they're going to google stuff by typing 74.125.228.46 in their browser address box?

Point taken. However, it essentially has the effect of cutting off their access to Internet services (while still allowing other malware to continue to use them as a platform for DDoS attacks, etc.).

It is slightly nitpicky, primarily because I expect most Arsians will in fact RTFA rather then just glancing at the headline, so this is more about polish overall. I think it does matter a little though due to two aspects. First, while the practical effect may be the same, the solution is not, and while there are unlikely to be many users here affected by the problem we're exactly the type of audience that might get a call asking for help in dealing with it. Second, what the headline suggested is not actually an entirely theoretical scenario. As discussed on Ars itself, cutting off malware infected users at the ISP level really has been seriously proposed as one tool for dealing with such systems. It wouldn't strike me as non-credible if someone said they really were actually cut off from service due to an infection (and that would require contacting the ISP for reactivation at some point with whatever that entails).

Of course, someone actually working on it would probably realize the real issue very quickly so none of this is a big deal. More the principle of the matter I guess, we all want to hold Ars to the highest standards . Thanks for the reply.

They actually won't lose their internet access. It's only their DNS that will stop working.

Ummm ... many of these people haven't patched their PC's yet because they're the least technologically savvy users on the internet, and you're think they're going to google stuff by typing 74.125.228.46 in their browser address box?

We're talking about the headline for this article, which is (presumably) aimed at a technical audience. We should all understand the distinction, as should the person who wrote the headline.

The victims of the virus probably don't read Ars Technica, so we don't need to generalize on their behalf.

How was that 300,000 approximation made? If it wasn't done by monitoring unique hits on The Replacement Servers, then I'd be tempted to post something like this:

Quote:

I find myself wondering how many of those 300,000 computers are already dead and gone. That would be an interesting, if otherwise useless, stat. Think about the number of people who, when their already old Win 2k or even Win XP systems fail, simply hoist the Ethernet cable and drive a new system under it. Also, some small number of the 300,000 are probably running headless. I'm willing to bet that if we had those numbers, we could whittle that 300,000 down by, oh, maybe 0.0375%. (In other words, I know it doesn't matter - it would just be fun and geeky to know.)

Honestly, as far as messages about this that the general public might actually have seen (as opposed to the more tech-oriented here), the one that stand-out the most to me have been the right-wing talk radio scares about how Obama was going to take-away their internet this summer.

Great information, and comments. I would be more concerned if I didn't go through computers like sneakers... Good post, Sean, I'm sure that helped clear things up for some users, I'll be sure to share on my SM channels to help get the word out.

If ISC controls the DNS server, why don't they simply redirect users to a landing page explaining their computers have been compromised? Right now, before the plug is pulled? No more internet, but at least there would be an explanation for those unaware of what's going on.

Exactly what I was thinking.

sep332 wrote:

The federal government is extremely wary about redirecting people's internet connections without a warrant.

You are totally right. "And then one day, I couldn't use the internet anymore, and I had to pay someone $200 to fix my 10 year old computer. I deserve compensation for the loss of money and time because of the governments actions.

300,000 is hardly an Apocalypse. Either they will fix it, get it fixed, or be with out internet. One thing good will come out of it. 300,000 people will spend money on either new PCs or getting it fixed at a local PC repair store. I would hope they would go to a local repair store if it is a decent machine. This is actually good for business and the local economy. Though I feel sorry for these people lack of interest or ability to correct the issue.

I sell a clean up package that includes antivirus that would fix this issue with ease for $79.00, but of course you would have to bring your PC or Laptop to me. And none of you are close enough. LOL. just saying not all PC repair shops are crooks.